Tractable rational map public-key system

ABSTRACT

The present invention relates generally to a message processing method, and more specifically to an encryption and decryption method of a public-key cryptosystem. Choose a finite field K and several tractable rational maps over K. Find a map representation φ, which represents the composition of these tractable rational maps. Let the field K and the map φ be the public key, and these tractable rational maps be the private key. The invention comprises the following steps: applying cryptographic computational algorithm to encrypt the original plaintext into an encrypted text, called ciphertext, with one key, distributing the ciphertext through a medium, receiving the ciphertext from the medium, and decrypt the ciphertext into the original plaintext with the other key. This invention can be applied to message transferring, data storage, data security, product authentication, and digital signature systems.

REFERENCE CITED

[0001] U.S. PATENT DOCUMENT U.S. Pat. No. 5,740,250 Apr. 14, 1998 Moh380/28.

FIELD OF THE INVENTION

[0002] The present invention relates generally to an encryption anddecryption method of a public-key cryptosystem and in particular totractable rational maps applying to an encryption and decryption methodof a public-key cryptosystem.

BACKGROUND OF THE INVENTION

[0003] The public-key cryptology is an important achievement in thedevelopment of cryptography. A major characteristic of a public-keysystem is the use of two keys in its computation algorithm: one of thekeys is private, while the other is publicly obtainable. The public-keycomputational algorithms use one of the keys for encryption and theother key for decryption. It is important for the algorithms to meet thefollowing requirement: for someone who knows only the cryptographicalgorithm and the encryption key, it is computationally infeasible tofind out the decryption key. Some cryptographic algorithms, such as RSA,can use either one of the two keys for encryption, but only one key fordecryption. The two keys of a public-key system are named public key andprivate key, respectively. The private key, as it name indicates, mustbe kept private. The basic steps of a public-key system are shown asbelow:

[0004] 1. The person A generates a pair of keys;

[0005] 2. The person A places the encryption key, called the public key,in an open registered place or in a public file, and keeps the other keyprivate;

[0006] 3. If the person B sends a message, called plaintext, to theperson A, B must use A's public key to encrypt the message, and generatean encrypted message, called ciphertext; and

[0007] 4. When the person A receives the ciphertext, A uses the privatekey to decrypt the ciphertext into original plaintext. The ciphertextcannot be decrypted without the private key.

[0008] A public-key cryptosystem must satisfy the following:

[0009] 1. For the person A, the generation of a pair of keys must befast;

[0010] 2. For the person B who sends a message, given the public key andthe plaintext, the generation of the ciphertext must be fast;

[0011] 3. For the person A who receives the ciphertext, using a privatekey to decrypt the ciphertext in order to obtain the original plaintextmust be fast;

[0012] 4. It is computationally infeasible for anyone who knows only thepublic key and ciphertext to reverse the computation to find out theprivate key; and

[0013] 5. It is computationally infeasible for anyone who knows only thepublic key and the ciphertext to reverse the computation to find out theoriginal plaintext.

[0014] Depending on the applications, a person can use own private keyand/or the public key of another person to perform a certain type ofcryptographic functions, such as:

[0015] 1. Encryption/decryption;

[0016] 2. Authentication (digital signature); and

[0017] 3. Key exchange.

[0018] Conventional public-key cryptosystems mostly use the RSA schemein their algorithms. However, in recent years, in order to improve thesecurity of RSA, the key size is increased, which, in turn, makes theRSA slow and impractical. In fact, less and less systems now use RSA toencrypt and decrypt a large amount of information, because of its slowcomputation.

SUMMARY OF THE INVENTION

[0019] The primary goal of the present invention is to provide anencryption and decryption method for a public-key cryptosystem.

[0020] The second goal of the present invention is to provide a fastmeans for encryption and decryption, which not only speeds up digitalauthentication, but can also be directly applied to encrypt and decrypta large amount of information.

[0021] To achieve the aforementioned goals, the present inventionprovides a message processing method, comprising:

[0022] 1. applying encryption computation to transform a plaintext intoa corresponding ciphertext;

[0023] 2. distributing said ciphertext through a medium;

[0024] 3. receiving said ciphertext through a medium; and

[0025] 4. decrypting said ciphertext.

[0026] Wherein said encryption and decryption steps are based ontractable rational map computation method.

[0027] The said tractable rational map algorithm uses two cryptographickeys, one of said cryptographic keys is the private key {φ₁, . . .,φ_(k)}, while the other said cryptographic key is the public keyπ(x₁,x₂, . . . ,x_(n)), wherein said private key {φ₁, . . . ,φ_(k)} is aset of tractable rational maps, and said public key is the compositionof these tractable rational maps

φ_(k) . . . φ₂φ₁(x₁,x₂, . . . x_(n))

[0028] simplified by the relations

x _(i) ^(#(K)) =X _(i) , i=1, . . . , n

[0029] where #(K) is the number of elements in the finite field K. Thesaid tractable rational map

φ:K^(n)→K^(n)

[0030] comprises the following formula:

y ₁ =r ₁(x ₁)

y ₂ =r ₂(x ₂)·(p ₂(x ₁)/q ₂(x ₁))+(f ₂(x ₁)/g ₂(x ₁))

[0031] :

[0032] :

y _(j) =r _(j)(x _(j))·(p _(j)(x ₁ ,x ₂ , . . . ,x _(j−1))/q _(j)(x ₁ ,x₂ , . . . ,x _(j−1)))+(f _(j)(x ₁ ,x ₂ , . . . ,x _(j−1))/g _(j)(x ₁ ,x₂ , . . . ,x _(j−1)))

[0033] :

[0034] :

y _(n) =r _(n)(x _(n))·(p _(n)(x ₁ ,x ₂ , . . . ,x _(n−1))/q _(n)(x ₁ ,x₂ , . . . ,x _(n−1)))+(f _(n)(x ₁ ,x ₂ , . . . ,x _(n−1))/g _(n)(x ₁ ,x₂ , . . . , x _(n−1)))

[0035] wherein K is a finite field, p₂, p₃, . . . , p_(n), q₂, q₃, . . ., q_(n), f₂, f₃, . . . , f_(n), and g₂, g₃, . . . , g_(n) are allpolynomials, r₁, . . . , r_(n) are permutation polynomials, andvariables x₁,x₂, . . . ,x_(n) may appear in any order or be anyvariation of their affine transformation.

BRIEF DESCRIPTION OF THE DRAWINGS

[0036] The foregoing aspects and many of the attendant advantages ofthis invention will become more readily appreciated as the same becomesbetter understood by reference to the following detailed description,when taken in conjunction with the accompanying drawings, wherein:

[0037]FIG. 1 depicts a flow chart for message processing of the presentinvention; and

[0038]FIG. 2 depicts a computer system for message processing of thepresent invention.

DETAILED DESCRIPTION OF THE INVENTION

[0039]FIG. 1, is a flow chart for message processing, step 10 is the useof the encryption algorithm to transform the original plaintext into thecorresponding ciphertext. Step 12 is to distribute the ciphertextproduced by step 10 through a medium, step 14 is a step for receivingthe ciphertext, and step 16 is to decrypt the ciphertext. The encryptionalgorithm of step 10 and the decryption algorithm of step 16 are bothbased on tractable rational map algorithm to encrypt on the originalmessage and to decrypt on the encrypted message. For further informationon the tractable rational map, a mathematical description will bepresented later.

[0040]FIG. 2 is a computer system for message processing of the presentinvention. A computer 20 executes at least one encryption tool 22 of thepresent invention, and a computer 30 executes at least one decryptiontool 32 of the present invention. The encryption tool 22 and thedecryption tool 32 are both programs, that is, software embodiment ofthe present invention. A computer 20 executes an encryption tool 22 toencrypt the original message into an encrypted message, which isdistributed through distributing device 24 into medium 40. Through thedistributing device 34, a computer 30 receives the encrypted messagefrom the medium 40 and executes the decryption tool 32 to transform theencrypted message into original message. The distributing devices 24, 34may be electronic communication devices, optical recording devices,magnetic recording devices, card devices, or printers, while medium 40may be electronic communication medium, data card, printing medium,semiconductor memory medium, optical recording medium, magneticrecording medium, etc.

[0041] A mathematical discussion of tractable rational maps is presentedas the following to facilitate the understanding of the presentinvention.

MATHEMATICAL DISCUSSION

[0042] Let K be a finite field and #(K) denotes the number of elementsin the finite field K. Each element c in the finite field K satisfies

c ^(#(K)) =c.

[0043] We should distinguish a polynomial over a finite field from apolynomial map over a finite field. For example, f(x)=x andg(x)=x^(#(K)) are two different polynomials but they induce the samepolynomial map.

[0044] A polynomial fεK[x] is called a permutation polynomial of K ifthe associated polynomial map

c→f(c)

[0045] from K into K is a permutation of K. The above map c→f(c) iscalled a permutation polynomial map. Note that the inverse map of apermutation polynomial map is also a permutation polynomial map. Thereare many known permutation polynomials. For example, x^(d) is apermutation polynomial for any integer d in co-prime with (#(K)−1). If#(K)=256, x⁴+x²+x is a permutation polynomial. If #(K)=256 and a¹⁷≠1,x¹⁶+ax is a permutation polynomial.

[0046] Given a permutation polynomial r(x) and a point y in K. It iseasy to work out the inverse image r⁻¹(y) if #(K) is small. Thepolynomial representing the inverse map can be either directly computed,or the inverse image can be found in the table of function values.

AFFINE TRANSFORMAION

[0047] Let K^(n) be the n dimensional affine space over K and define anaffine transformation from K^(n) to K^(m) as the following map:$\begin{pmatrix}y_{1} \\y_{2} \\\vdots \\y_{j} \\\vdots \\y_{m}\end{pmatrix} = \begin{pmatrix}{{a_{11}x_{1}} + {a_{21}x_{2}} + \ldots + {a_{1n}x_{n}} + b_{1}} \\{{a_{2}x_{1}} + {a_{22}x_{2}} + \ldots + {a_{2n}x_{n}} + b_{2}} \\\vdots \\{{a_{j1}x_{1}} + {a_{j2}x_{2}} + \ldots + {a_{jn}x_{n}} + b_{j}} \\\vdots \\{{a_{m1}x_{1}} + {a_{m2}x_{2}} + \ldots + {a_{mn}x_{n}} + b_{m}}\end{pmatrix}$

[0048] Obviously, an affine transformation is, in fact, a linear mapplus a shift translation. An invertible affine transformation is anaffine transformation whose inverse map exists. An injective affinetransformation is an affine transformation which is a one-to-one map.The following standard injection is an example of an injective affinetransformation: ${\rho \begin{pmatrix}x_{1} \\\vdots \\x_{24}\end{pmatrix}} = \begin{pmatrix}x_{1} \\\vdots \\x_{24} \\0 \\\vdots \\0\end{pmatrix}$

TRACTABLE RATIONAL MAP

[0049] A tractable rational map is defined as either an injective affinetransformation from K^(n) to K^(m) or, after a permutation of indices,if necessary. The following rational map on the affine space K^(n):$\begin{pmatrix}y_{1} \\y_{2} \\\vdots \\y_{j} \\\vdots \\y_{n}\end{pmatrix} = \begin{pmatrix}{r_{1}\left( x_{1} \right)} \\{{{r_{2}\left( x_{2} \right)} \cdot \frac{p_{2}\left( x_{1} \right)}{q_{2}\left( x_{1} \right)}} + \frac{f_{2}\left( x_{1} \right)}{g_{2}\left( x_{1} \right)}} \\\vdots \\{{{r_{j}\left( x_{j} \right)} \cdot \frac{p_{j}\left( {x_{1},\ldots \quad,x_{j - 1}} \right)}{q_{j}\left( {x_{1},\ldots \quad,x_{j - 1}} \right)}} + \frac{f_{j}\left( {x_{1},\ldots \quad,x_{j - 1}} \right)}{g_{j}\left( {x_{1},\ldots \quad,x_{j - 1}} \right)}} \\\vdots \\{{{r_{n}\left( x_{n} \right)} \cdot \frac{p_{n}\left( {x_{1},\ldots \quad,x_{n - 1}} \right)}{q_{n}\left( {x_{1},\ldots \quad,x_{n - 1}} \right)}} + \frac{f_{n}\left( {x_{1},\ldots \quad,x_{n - 1}} \right)}{g_{n}\left( {x_{1},\ldots \quad,x_{n - 1}} \right)}}\end{pmatrix}$

[0050] wherein r₁, . . . , r_(n) are permutation polynomials and p₁, . .. , p_(n) are non-vanishing polynomials.

[0051] A tractable rational map is defined only on a subset of K^(n). Ifq₁, . . . ,q_(n) and g₁, . . . ,g_(n) in the above rational map arenon-vanishing polynomials, then the above rational map is defined on thewhole affine space K^(n) and gives a bijection of K^(n).

[0052] Given a tractable rational map Y=φ(X), pick an image point Y₀.Then

Y ₀=φ(X ₀)

[0053] for some X₀. The point X₀ can be easily obtained as thefollowing. If φ is an injective affine transformation, the point X₀ canbe computed with the basic linear algebra technique. Hence, φ is assumedto be the aforementioned rational map. The assumption of Y₀ being animage point implies that the function values of q₁, . . . ,q_(n) and g₁,. . . ,g_(n) at X₀ are not zero. What needs to be computed is x₁, . . .,x_(n) of the following equations, for given y₁, . . . ,y_(n).$\left( \left. \quad\begin{matrix}{y_{1} = {r_{1}\left( x_{1} \right)}} \\{y_{2} = {{{r_{2}\left( x_{2} \right)} \cdot \frac{p_{2}\left( x_{1} \right)}{q_{2}\left( x_{1} \right)}} + \frac{f_{2}\left( x_{1} \right)}{g_{2}\left( x_{1} \right)}}} \\\vdots \\{y_{j} = {{{r_{j}\left( x_{j} \right)} \cdot \frac{p_{j}\left( {x_{1},\ldots \quad,x_{j - 1}} \right)}{q_{j}\left( {x_{1},\ldots \quad,x_{j - 1}} \right)}} + \frac{f_{j}\left( {x_{1},\ldots \quad,x_{j - 1}} \right)}{g_{j}\left( {x_{1},\ldots \quad,x_{j - 1}} \right)}}} \\\vdots \\{y_{n} = {{{r_{n}\left( x_{n} \right)} \cdot \frac{p_{n}\left( {x_{1},\ldots \quad,x_{n - 1}} \right)}{q_{n}\left( {x_{1},\ldots \quad,x_{n - 1}} \right)}} + \frac{f_{n}\left( {x_{1},\ldots \quad,x_{n - 1}} \right)}{g_{n}\left( {x_{1},\ldots \quad,x_{n - 1}} \right)}}}\end{matrix} \right) \right.$

[0054] The computation is performed recursively. First, given

x ₁ =r ₁ ⁻¹(y ₁).

[0055] Then, x₁ in the second equation is substituted to obtain$x_{2} = {{r_{2}^{- 1}\left( {\left( {y_{2} - \frac{f_{2}\left( x_{1} \right)}{g_{2}\left( x_{1} \right)}} \right)\frac{q_{2}\left( x_{1} \right)}{p_{2}\left( x_{1} \right)}} \right)}.}$

[0056] Inductively, after x₁, . . . , x_(j−1) are computed, x₁, . . .,x_(j−1), in the j-th equation can be substituted to obtain$x_{j} = {{r_{j}^{- 1}\left( {\left( {y_{j} - \frac{f_{j}\left( {x_{1},\ldots \quad,x_{j - 1}} \right)}{g_{j}\left( {x_{1},\ldots \quad,x_{j - 1}} \right)}} \right)\frac{q_{j}\left( {x_{1},\ldots \quad,x_{j - 1}} \right)}{p_{j}\left( {x_{1},\ldots \quad,x_{j - 1}} \right)}} \right)}.}$

[0057] Finally, the point X₀ is obtained.

[0058] It is important to note that an explicit form for φ⁻¹ will bedifficult to expressed in full because the fractional function iscomplicated and contains many terms, in spite that tractable rationalmaps meet the following two properties:

[0059] 1. The inverse image X₀=φ⁻¹(Y₀) for an image point Y₀ can becomputed very quickly by solving each component recursively; and

[0060] 2. The inverse map of a tractable rational map is still atractable rational map.

PREFERRED EMBODIMENTS

[0061] The present invention is a public-key cryptosystem based on atractable rational map. The spirit of this invention is to use thecomposite map of several tractable rational maps. Although the previousdiscussion shows that a pre-image of a tractable rational map can beeasily obtained, however, as the composition no longer has the inductivestructure of a tractable rational map, it is hard to obtain thepre-image of the composition for a given point. Nevertheless, for thosewho know the original tractable rational maps, it would be easy and fastto obtain the pre-image of the composition by simply computing thepre-image of each individual tractable rational map in succession.

[0062] Based on the designing rule of the tractable rational mappublic-key cryptosystem, the detailed description of the preferredembodiment will be discussed below. First, the person A chooses a finitefield and assigns a certain dimension of the affine space. According tothe dimension of the affine space, the person A designs severaltractable rational maps and computes their composition. The compositionand the selected finite field are constructed as the public key ofcryptosystem, while the several tractable rational maps designed by theperson A serve as the private key. The person A distributes the publickey to another person B, and B uses the public key given by A to encryptthe original message before sending it to A. This means that Bidentifies the message with a point in the affine space and uses thepublic key to encrypt the original message, i.e., uses the compositionto send a point in the affine space to a point in another affine space.The image point of the composition is the encrypted message encrypted byB. The person B then sends out the encrypted message to A. A uses thepre-image algorithm of the tractable rational map to compute thepre-image of each individual tractable rational map in succession. Afterthe process, the original message of B can be obtained.

[0063] A further progress in this invention is the addition of standardinjections between the several tractable rational maps, so that thepublic-key cryptosystem can have the capability of error-detecting. Inthe following embodiments, the chosen finite field is GF(256), which isthe finite field with 256 elements, so the characteristic of the fieldis 2. It should be emphasized that the invention can be applied to anyfinite field and is not limited to the finite field with only 256elements.

THE FIRST EMBODIMENT

[0064] The first embodiment uses four maps {φ₁,φ₂,φ₃,φ₄}${\begin{pmatrix}x_{1} \\\vdots \\x_{16}\end{pmatrix} = {\phi_{1}\begin{pmatrix}m_{1} \\\vdots \\m_{16}\end{pmatrix}}},{\begin{pmatrix}y_{1} \\\vdots \\y_{16}\end{pmatrix} = {\phi_{2}\begin{pmatrix}x_{1} \\\vdots \\x_{16}\end{pmatrix}}},{\begin{pmatrix}z_{1} \\\vdots \\x_{16}\end{pmatrix} = {\phi_{3}\begin{pmatrix}y_{1} \\\vdots \\y_{16}\end{pmatrix}}},{\begin{pmatrix}w_{1} \\\vdots \\w_{16}\end{pmatrix} = {{\phi_{4}\begin{pmatrix}z_{1} \\\vdots \\x_{16}\end{pmatrix}}.}}$

[0065] wherein {φ₁,φ₄} are invertible affine transformations, {φ₂, φ₃}are tractable rational maps, and the composition could be shown asbelow: $\begin{pmatrix}w_{1} \\\vdots \\w_{16}\end{pmatrix} = {\phi_{4} \circ \phi_{3} \circ \phi_{2} \circ {\phi_{1}\begin{pmatrix}m_{1} \\\vdots \\m_{16}\end{pmatrix}}}$

[0066] That is, the composition consists of 16 quadratic polynomials of16 variables. Because {φ₁,φ₄} are simply invertible affinetransformations, for convenience, we only list {φ₂,φ₃}.

y₁=x₁ ²

y ₂ =x ₂ ² +x ₁

y₃=x₃

y ₄ =x ₄ +x ₂ x ₃

y₅=x₅

y ₆ =x ₆ +x ₂ x ₅

y ₇ =x ₇ +x ₃ x ₅

y ₈ =x ₈ +x ₆ ²

y ₉ =x ₉ +x ₆x₈

y ₁₀ =x ₁₀ +x ₈ ²

y ₁₁ =x ₁₁ +x ₁₀ ²

y ₁₂ =x ₁₂ +x ₁₁ ²

y ₁₃ =x ₁₃ +x ₁₂ ²

y ₁₄ =x ₁₄ +x ₁₃ ²

y ₁₅ =x ₁₅ +x ₁₃ x ₁₄

y ₁₆ =x ₁₆ +x ₁₄ ²

z ₁ =y ₁ +Q ₂ <f(X)>=x ₁ ² +x ₃ x ₆ +x ₄ x ₅

z ₂ =y ₂ +y ₃ ² =x ₁ x ₂ ² +x ₃ ²

z ₃ =y ₃(y ₅ ² +αy ₅+β)+y ₅ y ₇ =βx ₃ +αx ₃ x ₅ +x ₅ x ₇

z ₄ =y ₄ =x ₄ +x ₂ x ₃

z ₅ =y ₅ g(Y)=x ₅ +x ₆ +x ₁₆ ²

z ₆ =y ₆ =x ₆ +x ₂ x ₅

z ₇ =y ₇ =x ₇ +x ₃ x ₅

z ₈ =y ₈ =x ₈ +x ₆ ²

z ₉ =y ₉ =x ₉ +x ₆ x ₈

z ₁₀ =y ₁₀ =x ₁₀ +x ₈ ²

z ₁₁ =y ₁₁ =x ₁₁ +x ₁₀ ²

z ₁₂ =y ₁₂ =x ₁₂ +x ₁₁ ²

z ₁₃ =y ₁₃ =x ₁₃ +x ₁₂ ²

z ₁₄ =y ₁₄ =x ₁₄ +x ₁₃ ²

z ₁₅ =y ₁₅ =x ₁₅ +x ₁₃ x ₁₄

z ₁₅ =y ₁₆ =x ₁₆ +x ₁₄ ²

[0067] where

Q ₂ <f(X)=x ₃ x ₆ +x ₄ x ₅ >=y ₃ y ₆ +y ₄ y ₅,

g(Y)=y ₈ ¹²⁸ +y ₁₀ ⁶⁴ +y ₁₁ ³² +y ₁₂ ¹⁶ +y ₁₃ ⁸ +y ₁₄ ⁴ +y ₁₆ ²,

[0068] and y₅ ²+αy₅+β is an irreducible polynomial in K[y₅]. Note thatin the substitution of z₅,

z ₅ =y ₅ +g(Y)=x ₅ +x ₆ ²⁵⁶ +x ₁₆ ² =x ₅ +x ₆ +x ₁₆ ²,

[0069] the relation x₆ ²⁵⁶=x₆ is used.

[0070] In this embodiment, only 16 variables are used. Apparently, thereare some polynomial relations among y_(i)'s. Hence, this example is arelatively weak key and only, for convenience, to show the structure ofthe invention. In real applications, the map should be carefully chosenand a larger number of variables should be used to prevent potentialattacks. However, this will increase the bit length of the public andprivate keys. To overcome this drawback, we can use the subfieldstructure to reduce the key's bit length to half or less.

THE SECOND EMBODIMENT

[0071] In the second embodiment, five maps {φ₁,ρ, φ₂, φ₃,φ₄} are used:${\begin{pmatrix}x_{1} \\\vdots \\x_{24}\end{pmatrix} = {\phi_{1}\begin{pmatrix}m_{1} \\\vdots \\m_{24}\end{pmatrix}}},{\begin{pmatrix}u_{1} \\\vdots \\u_{32}\end{pmatrix} = {{\rho \begin{pmatrix}x_{1} \\\vdots \\x_{24}\end{pmatrix}} = \begin{pmatrix}x_{1} \\\vdots \\x_{24} \\0 \\\vdots \\0\end{pmatrix}}}$ ${\begin{pmatrix}y_{1} \\\vdots \\y_{32}\end{pmatrix} = {\phi_{2}\begin{pmatrix}u_{1} \\\vdots \\u_{32}\end{pmatrix}}},{\begin{pmatrix}z_{1} \\\vdots \\x_{32}\end{pmatrix} = {\phi_{3}\begin{pmatrix}y_{1} \\\vdots \\y_{32}\end{pmatrix}}},{\begin{pmatrix}w_{1} \\\vdots \\w_{32}\end{pmatrix} = {{\phi_{4}\begin{pmatrix}z_{1} \\\vdots \\x_{32}\end{pmatrix}}.}}$

[0072] wherein {φ₁,φ₄} are inverse affine transformations, {φ₂, φ₃,} aretractable rational maps, and ρ is a standard injection. The compositionof the above five maps could be shown as below: $\begin{pmatrix}w_{1} \\\vdots \\w_{32}\end{pmatrix} = {\phi_{4} \circ \phi_{3} \circ \phi_{2} \circ \rho \circ {\phi_{1}\begin{pmatrix}m_{1} \\\vdots \\m_{24}\end{pmatrix}}}$

[0073] That is, the composition consists of 32 quadratic polynomials of24 variables. Because {φ₁,φ₄} are simply invertible affinetransformations, for convenience, we only list {φ₂ ° ρ, φ₃}.

y₁=x₁ ²

y ₂ =x ₂ ² +x ₁

y ₃ =x ₃ +x ₁ x ₂

y ₄ =x ₄/(x ₃ ² +αx ₃+β)

y ₅ =x ₅(x ₃ ² +αx ₃+β)

y ₆ =x ₆ +x ₃ x ₅

y ₇ =x ₇ +x ₃

y₈=x₈

y ₉ =x ₉ +x ₄ x ₇

y ₁₀ =x ₁₀ +x ₃ ²

y ₁₁ =x ₁₁ +x ₃ x ₈

y ₁₂ =x ₁₂(x ₇ ² +αx ₇+β)

y ₁₃ =x ₁₃ +x ₆ x ₉

y ₁₄ =x ₁₄ +x ₇ x ₁₂

y ₁₅ =x ₁₅ +x ₉ x ₁₂

y ₁₆ =x ₁₆ +x ₉ x ₁₄

y ₁₇ =x ₁₇ +x ₅ x ₁₄

y ₁₈ =x ₁₈ +x ₁₀ x ₁₆

y ₁₉ =x ₁₉ +x ₁₀ x ₁₈

y ₂₀ =g ₁(X)

y ₂₁ =x ₂₁ +x ₁₃ ² +x ₁₈ x ₁₉

y ₂₂ =g ₂(X)

y ₂₃=g₃(X)

y ₂₄ =x ₂₄ +x ₁₄ x ₁₅

y ₂₅ =x ₃ +x ₇ x ₈

y ₂₆ =x ₇ +x ₆ x ₈

y₂₇=x₆x₇

y₂₈=x₃x₇

y₂₉=x₄x₈

y₂₀=x₅x₈

y₃₁=x₈x₁₂

y₃₂=x₅x₁₈

z ₁ =y ₁ +y ₄ y ₅ =x ₁ ² +x ₄ x ₅

z ₂ =y ₂ +y ₇ y ₁₁ +y ₈(y ₁₀ +y ₂₈)=x ₁ +x ₂ ² °x ₃ x ₁₁ +x ₇ x ₁₁ +x ₈x ₁₀

z ₃ =y ₃ +y ₅ y ₁₂ /f(Y)=x₃ +x ₁ x ₂ +x ₅ x ₁₂

z ₄ =y ₄ f(Y)+y ₈ x ₁₃ +y ₉ x ₂₆ +y ₂₇ y ²⁹ =βx ₄ +αx ₄ x ₇ +x ₇ x ₉ +x₈ x ₁₃

z ₅=y₅ +y ₆ y ₂₅ +y ₈ y ₂₇ +y ₂₈ y ₃₀ +βx ₅ +αx ₃ x ₅ +x ₃ x ₆

z ₆ =y ₆ =x ₆ +x ₃ x ₅

z ₇ =y ₇(y ₈ ² +αy ₈+β)+y ₈(y ₁₁ +y ₂₅)=β(x ₃ +x ₇)+α(x ₃ x ₈ +x ₇ x₈)+x ₃ x ₈ +x ₈ x ₁₁

z ₈ =y ₈ +y ₂₀ +y ₂₁ ² =x ₈ +x ₂₀ +x ₁₂ ² +x ₂₁ ² +x ₁₄ x ₁₅ +x ₁₆ x ₁₇

z ₉ =y ₉ =x ₉ +x ₄ x ₇

z ₁₀ =y ₁₀ =x ₁₀ +x ₃ ²

z ₁₁ =y ₁₁ =x ₁₁ +x ₃ x ₈

z ₁₂ =y ₁₂ +y ₈ y ₁₇ +y ₁₄ y ₂₆ +y ₂₇ y ₃₁ βx ₁₂ +αx ₇ x ₁₂ +x ₇ x ₁₄ +x₈ x ₁₇

z ₁₃ =y ₁₃ =x ₁₃ +x ₆ x ₉

z ₁₄ =y ₁₄ =x ₁₄ +x ₇ x ₁₂

z ₁₅ =y ₁₅ =x ₁₅ +x ₉ x ₁₂

z ₁₆ =y ₁₆ =x ₁₆ +x ₉ x ₁₄

z ₁₇ =y ₁₇ =x ₁₇ +x ₆ x ₁₄

z ₁₈ =y ₁₈ =x ₁₈ +x ₁₀ x ₁₆

z ₁₉ =y ₁₉ =x ₁₉ +x ₁₀ x ₁₈

z ₂₀ =y ₂₀ ⁴ +y ₂₀ ² +y ₂₀ +y ₂₁ ⁸ +y ₂₂ ⁴ +y ₂₃ ² =g ₄(X)

z ₂₁ =y ₂₁ =x ₂₁ +x ₁₂ ² +x ₁₈ x ₁₉

z ₂₂ =y ₂₂ =x ₂₂ +x ₁₂ ² +x ₁₃ ² +x ₂₁ ² +x ₁₆ x ₁₇ +x ₁₈ x ₁₉

z ₂₃ =y ₂₃ +y ₂₄ ² =x ₁₉ +g ₅(X)

z ₂₄ =y ₂₄ =x ₂₄ +x ₁₄ x ₁₅

z ₂₅ =y ₂₅ =x ₃ +x ₇ x ₈

z ₂₆ =y ₂₆ =x ₇ +x ₆ x ₈

z₂₇=y₂₇=x₆x₇

z₂₈=y₂₈=x₃x₇

z₂₉=y₂₉=x₄x₈

z₃₀=y₃₀=x₅x₈

z₃₁=y₃₁=x₈x₁₂

z₃₂=y₃₂=x₅x₁₈

[0074] where

f(Y)=(x ₃ ² +αx ₃+β)(x ₇ ² +αx ₇+β)=y ₂₈ ² +αy ₇ y ₂₈+α² y ₂₈ +αβy ₇ +βy₇ ²+β²

g ₁(X)=x ₂₀ +x ₁₂ ² +x ₁₃ ⁴ +x ₁₄ x ₁₅ +x ₁₆ x ₁₇+(x ₁₈ x ₁₉)²,

g ₂(X)=x ₂₂ +x ₁₂ ² +x ₁₃ ² +x ₂₁ ² +x ₁₆ x ₁₇ +x ₁₈ x ₁₉,

g ₃(X)=x ₂₃ +x ₁₂ ² +x ₁₃ ² +x ₂₀ ² +x ₂₂ ² +x ₁₄ x ₁₅ +x ₁₆ x ₁₇ +x ₁₈x ₁₉+(x ₁₄ x ₁₅)²,

g ₄(X)=x ₂₀ +x ₂₃ ² +x ₂₀ ² +x ₂₃ ² +x ₁₄ x ₁₅ +x ₁₆ x ₁₇,

g ₅(X)=x ₂₃ +x ₁₃ ² +x ₁₃ ² +x ₂₀ ² +x ₂₂ ² +x ₂₄ ² +x ₁₄ x ₁₅ +x ₁₆ x₁₇ +x ₁₈ x ₁₉

[0075] and x₁ ²+αx_(i)+β is an irreducible polynomial in K[x_(i)].

[0076] The first embodiment uses the tractable rational bijections, sothe composition is still a bijection of the affine space. It isimportant for real applications such as digital authentication systemsto make the map bijective. The second embodiment uses not only thetractable rational map but also the standard injection. In this way, theaddition of a standard injection equips the system with theerror-detecting capability, and allows more variations of theembodiments. Similarly, the addition of a surjective but not injectiveaffine transformation also allows more variations of the embodiments fordigital signature.

ADDITIONAL APPLICATION EMBODIMENTS

[0077] In accordance with the theory of the present invention, it canalso be used for preserving privacy and testifying the integrity of theinformation. The method comprises the following steps: using anencrypting algorithm to transform the original message into a encryptedmessage, and when original plaintext being needed, a decryptingalgorithm is used to decrypt the encrypted message back to the originalmessage. The encryption and decryption processes are both based ontractable rational map algorithm. In this embodiment, the tractablerational map algorithm uses two cryptographic keys: one of the them isthe private key, a set of {φ₁, . . . ,φ_(k)}, while the other key is thepublic key π(x₁,x₂, . . . ,x_(n)), wherein π(x₁,x₂, . . . ,x_(n)) is thecomposition

φ_(k) . . . φ₂φ₁(x₁,x₂, . . . ,x_(n))

[0078] simplified by the relations

x _(i) ^(#(K)) =x ₁ , i=1, . . . , n.

[0079] In accordance with the theory of the present invention, it canalso be used for verifying the authenticity of a product. The methodcomprises the following steps: using a private key based on tractablerational map algorithm to transform the identification information of aproduct into an encrypted message and using a public key based ontractable rational map algorithm to decrypt the encrypted message intothe identification information of the product to verify the authenticityof the product, when necessary. The identification information can bethe serial number of the product or anything that is representative tothe product. In the embodiment, the tractable rational map algorithmuses two cryptographic keys: one of the them is the private key, a setof {φ₁, . . . ,φ_(k)}, while the other key is the public key π(x₁,x₂, .. . ,x_(n)), wherein π(x₁,x₂, . . . ,x_(n)) is the composition

φ_(k) . . . φ₂φ₁(x₁,x₂, . . . , x_(n))

[0080] simplified by the relations

x _(i) ^(#(K)) =x _(i) , i=1, . . . , n.

[0081] In accordance with the theory of the present invention, it canalso be used for preventing alteration of information on a storagedevice. The method comprises the following steps: using a private keybased on tractable rational map algorithm to encrypt an information andstoring the encrypted information on a storage device, and using apublic key based on tractable rational map to decrypt the encryptedinformation. In the embodiment, the tractable rational map algorithmuses two cryptographic keys: one of them is the private key, a set of{φ₁, . . . ,φ_(k)}, while the other key is the public key π(x₁,x₂, . . .,x_(n)), wherein π(x₁,x₂, . . . ,x_(n)) is the composition

φ_(k) . . . φ₂φ₁(x₁,x₂, . . . ,x_(n))

[0082] simplified by the relations

x _(i) ^(#(K)) =x _(i) , i=1, . . . , n.

[0083] In accordance with the theory of the present invention, it canalso be used for verifying the identification of a person who sends amessage. The method comprises the following steps: selecting a paragraphof words/numbers of a message, using the private key based on tractablerational map algorithm to encrypt the paragraph of words/numbers, andusing a public key based on tractable rational map to decrypt theencrypted message to verify the identification information of the personwho sends the message. In the embodiment, the tractable rational mapalgorithm uses two cryptographic keys: one of them is the private key, aset of {φ₁, . . . , φ_(k)}, while the other key is the public keyπ(x₁,x₂, . . . ,x_(n)), wherein π(x₁,x₂, . . . ,x_(n)) is thecomposition

φ_(k) . . . φ₂φ₁(x₁,x₂, . . . ,x_(n))

[0084] simplified by the relations

x _(i) ^(#(K)) =x _(i) , i=1, . . . , n.

[0085] In accordance with the theory of the present invention, it canalso be used in public-key cryptosystem for producing an ordinary keyfrom a master key. The method comprises the following steps: using thetractable rational map algorithm to generate a master key, wherein saidmaster key comprises a private key and a public key, and using zeroes tosubstitute a portion of the encrypted polynomial of said master key inorder to generate an ordinary key, wherein said ordinary key comprises aprivate key and a public key. Using either the master key or theordinary key to perform the encryption and decryption. The encryptedmessage generated with the ordinary key can be decrypted by the masterkey. On the other hand, the encrypted message generated with the masterkey cannot be decrypted by the ordinary key. In the embodiment, thetractable rational map algorithm uses two cryptographic keys: one ofthem is the private key, a set of {φ₁, . . . ,φ_(k)}, while the otherkey is the public key π(x₁,x₂, . . . ,x_(n)), wherein π(x₁,x₂, . . .,x_(n)) is the composition

φ_(k) . . . φ₂φ₁(x₁,x₂, . . . ,x_(n))

[0086] simplified by the relations

x _(i) ^(#(K)) =x _(i) , i=1, . . . , n.

CRYPTANALYSIS FOR THE PRESENT INVENTION

[0087] In general, the methods to attack the public-key cryptosystem areeither to break the public key or to break the encrypted message. Theformer aims at finding the private key, while the latter focus onfinding the original message without finding the private key.

[0088] Some of the possible methods for breaking the encryption publickey are:

[0089] 1. Undetermined coefficients: Because of too many coefficientsinvolved, it would be computationally infeasible;

[0090] 2. Using inverse formula: Because the characteristic of thefinite field is larger than zero, it is unable to use the inverseformula of power series. Moreover, the first order differential matrixof the polynomial map representing the public key may not be invertible,so the direct computation for solving the inverse map is infeasible;

[0091] 3. Using resultant: The resultant is only practical for very fewvariables. It would be computationally infeasible to use resultant toattack;

[0092] 4. Isomorphism Problem (IP): The method, proposed by JacquesPatarin et al., is not suitable for attacking cryptosystem of thepresent invention. This is because the assumptions for solving the IPare obviously different from those of the present invention; and

[0093] 5. Searching the polynomial relation: It is easy to make thepolynomial relation disappear by carefully designing the tractablerational maps. It would be computationally infeasible.

[0094] Some of the possible methods for breaking the encrypted messageare:

[0095] 1. Brute force: When there are many variables, obviously thedirect attack is computationally infeasible; and

[0096] 2. Solving nonlinear equations: Solving a system of nonlinearequations is known as a NP-complete problem. There are some ofrelatively efficient ways to solve the system of nonlinear equationssuch as re-linearization scheme and XL scheme. However, there-linearization scheme is computationally infeasible to attack thepresent cryptosystem. The XL scheme is only valid for some certainpolynomial map. Hence, applying XL scheme to the present invention is invain.

COMPARISON BETWEEN THE PRESENT INVENTION AND OTHER PUBLIC-KEYCRYPTOSYSTEMS

[0097] There are known public-key cryptosystems, such as, RSA, ECC,NTRU, HFE, TTM, etc. The most widely used public-key cryptosystem is theRSA public-key system, and the most similar cryptosystem to the presentinvention is the TTM public-key system. A comparison among the presentinvention, TTM public-key system, and RSA public-key system would bedescribed below:

[0098] 1. Public key: The public key of the tractable rational mappublic key is a map represented by polynomials over a finite field, thepublic key of TTM public key system is also a map represented bypolynomials over a finite field, and the public key of RSA public-keysystem is a certain positive integer and a product of two prime numbers;

[0099] 2. Private key: The private key of the tractable rational mappublic-key system is a set of several tractable rational maps, theprivate key of TTM public-key system is a set of several tameautomorphisms, and the private key of RSA public-key system is a certainpositive integer and two prime numbers;

[0100] 3. The difficulty of breaking: The difficulty of breakingtractable rational map is at solving a system of nonlinear equations orat the decomposition of a composite map into several tractable rationalmaps, the difficulty of breaking TTM public-key system is at solving amulti-variable system of nonlinear equations or at the decomposition ofthe map into tame automorphisms, and the difficulty of breaking RSApublic-key system is at the decomposition of a large number;

[0101] 4. The speed of encryption and decryption: The speed of thetractable rational map and the TTM public-key system are much fasterthan that of RSA public-key system;

[0102] 5. Theoretical security analysis: Because the integer numberfactoring, map factoring into tractable rational maps, map factoringinto tame automorphisms, and solving nonlinear equations are verydifficult and classical problems which have been studied bymathematicians for centuries, it seems impossible to find a completesolution for the aforementioned problems in the near future. From theview point of polynomial ring structure, since a tractable rational mapinduces a homomorphism of the polynomial ring and a tame automorphism isan automorphism of the polynomial ring, it seems harder to break thepresent invention than to break TTM; and

[0103] 6. The expansion rate of ciphertext/plaintext: The expansion rateof RSA public-key system is equal to 1; the expansion rate of TTMpublic-key system from the known research is in the range of 1.5 to 3,and the expansion rate of the present invention lies in the range of 1to 1.5. For some real applications, it is important to have theexpansion rate to be 1.

[0104] While the preferred embodiment of the invention has beenillustrated and described, it will be appreciated that various changescan be made therein without departing from the spirit and scope of theinvention.

What is claimed is:
 1. A message processing method comprising thefollowing steps: applying an encryption algorithm to transform theoriginal message into the corresponding encrypted message; distributingsaid encrypted message through a medium; receiving said encryptedmessage; and decrypting said encrypted message; wherein said encryptionand said decryption steps are based on tractable rational map algorithmto encrypt said original message and to decrypt said encrypted message.2. The message processing method as in claim 1, wherein said tractablerational map algorithm uses two cryptographic keys, one of saidcryptographic keys is the private key {φ₁, . . . ,φ_(k)}, while theother said cryptographic key is the public key π(x₁,x₂, . . . ,x_(n)),wherein said private key {φ₁, . . . ,φ_(k)} is a set of tractablerational maps, and said public key is the composition of the tractablerational maps φ_(k) . . . φ₂φ₁(x₁,x₂, . . . ,x_(n)) simplified by therelations x _(i) ^(#(K)) =x _(i) , i=1, . . . , n where #(K) is thenumber of elements in the finite field.
 3. The message processing methodas claim 2, wherein said tractable rational map φ:K^(n)→K^(n) comprisesthe following formula: $\begin{matrix}{y_{1} = {r_{1}\left( x_{1} \right)}} \\{y_{2} = {{{r_{2}(x)} \cdot \frac{p_{2}\left( x_{1} \right)}{q_{2}\left( x_{1} \right)}} + \frac{f_{2}\left( x_{1} \right)}{g_{2}\left( x_{1} \right)}}} \\\vdots \\{y_{j} = {{{r_{j}\left( x_{j} \right)} \cdot \frac{p_{j}\left( {x_{1},x_{2},\cdots \quad,x_{j - 1}} \right)}{q_{j}\left( {x_{1},x_{2},\cdots \quad,x_{j - 1}} \right)}} + \frac{f_{j}\left( {x_{1},x_{2},\cdots \quad,x_{j - 1}} \right)}{g_{j}\left( {x_{1},x_{2},\cdots \quad,x_{j - 1}} \right)}}} \\\vdots \\{y_{n} = {{{r_{n}\left( x_{n} \right)} \cdot \frac{p_{n}\left( {x_{1},x_{2},\cdots \quad,x_{n - 1}} \right)}{q_{n}\left( {x_{1},x_{2},\cdots \quad,x_{n - 1}} \right)}} + \frac{f_{n}\left( {x_{1},x_{2},\cdots \quad,x_{n - 1}} \right)}{g_{n}\left( {x_{1},x_{2},\cdots \quad,x_{n - 1}} \right)}}}\end{matrix}$

wherein K is a finite field, p₂,p₃, . . . ,p_(n), q₂,q₃, . . . ,q_(n),f₂,f₃, . . . , f_(n), g₂,g₃, . . . ,g_(n) are all polynomials, r₁, . . .,r_(n) are permutation polynomials, and variables x₁,x₂, . . . ,x_(n)may appear in any order or be any variation of their affinetransformation.
 4. The method as in claim 1, wherein said medium is anelectronic communication medium.
 5. The method as in claim 1, whereinsaid medium is a data card.
 6. The method as in claim 1, wherein saidmedium is a printing medium.
 7. The method as in claim 1, wherein saidmedium is a semiconductor memory device.
 8. The method as in claim 1,wherein said medium is an optical disk.
 9. The method as in claim 1,wherein said medium is an optical storage medium.
 10. The method as inclaim 1, wherein said medium is a magnetic recording medium.
 11. Amessage processing computer system comprising: an encryption device fortransforming an original message into the corresponding encryptedmessage; a distributing device for distributing said encrypted messagethrough a medium; a decryption device for decrypting said encryptedmessage; wherein said encryption and decryption parts are programs basedon tractable rational map algorithm for encrypting said original messageand for decrypting said encrypted message.
 12. The system as in claim11, wherein said tractable rational map algorithm uses two cryptographickeys, one of said cryptographic keys is the private key {φ₁, . . .,φ_(k)}, while the other said cryptographic key is the public keyπ(x₁,x₂, . . . ,x_(n)), wherein said private key {φ₁, . . . ,φ_(k)} is aset of tractable rational maps, and said public key is the compositionof the tractable rational maps φ_(k) . . . φ₂φ₁(x₁,x₂, . . . ,x_(n))simplified by the relations x _(i) ^(#(K)) =x _(i) , i=1, . . . , nwhere #(K) is the number of elements in the finite field.
 13. The systemas in claim 12, wherein said tractable rational map φ:K^(n)→K^(n)comprises the following formula: $\begin{matrix}{y_{1} = {r_{1}\left( x_{1} \right)}} \\{y_{2} = {{{r_{2}(x)} \cdot \frac{p_{2}\left( x_{1} \right)}{q_{2}\left( x_{1} \right)}} + \frac{f_{2}\left( x_{1} \right)}{g_{2}\left( x_{1} \right)}}} \\\vdots \\{y_{j} = {{{r_{j}\left( x_{j} \right)} \cdot \frac{p_{j}\left( {x_{1},x_{2},\cdots \quad,x_{j - 1}} \right)}{q_{j}\left( {x_{1},x_{2},\cdots \quad,x_{j - 1}} \right)}} + \frac{f_{j}\left( {x_{1},x_{2},\cdots \quad,x_{j - 1}} \right)}{g_{j}\left( {x_{1},x_{2},\cdots \quad,x_{j - 1}} \right)}}} \\\vdots \\{y_{n} = {{{r_{n}\left( x_{n} \right)} \cdot \frac{p_{n}\left( {x_{1},x_{2},\cdots \quad,x_{n - 1}} \right)}{q_{n}\left( {x_{1},x_{2},\cdots \quad,x_{n - 1}} \right)}} + \frac{f_{n}\left( {x_{1},x_{2},\cdots \quad,x_{n - 1}} \right)}{g_{n}\left( {x_{1},x_{2},\cdots \quad,x_{n - 1}} \right)}}}\end{matrix}$

wherein K is a finite field, p₂,p₃, . . . ,p_(n), q₂,q₃, . . . ,q_(n),f₂,f₃, . . . ,f_(n), g₂,g₃, . . . ,g_(n) are all polynomials, r₁, . . .,r_(n) are permutation polynomials, and variables x₁,x₂, . . . ,x_(n)may appear in any order or be any variation of their affinetransformation.
 14. The computer system as in claim 11, wherein saiddistributing device is an electronic communication device.
 15. Thecomputer system as in claim 11, wherein said distributing device is anoptical recording device.
 16. The computer system as in claim 11,wherein said distributing device is a magnetic recording device.
 17. Thecomputer system as in claim 11, wherein said distributing device is acard reader device.
 18. The computer system as in claim 11, wherein saiddistributing device is a printer.
 19. A method for preserving privacyand testifying the integrity of the information, comprising thefollowing steps: using an encryption algorithm to transform an originalmessage into a corresponding encrypted message; when the contents ofsaid original message is needed, using a decryption algorithm totransform the said encrypted message into its original message; whereinsaid encryption and decryption steps are based on tractable rational mapalgorithm.
 20. The method as in claim 19, wherein said tractablerational map algorithm uses two cryptographic keys, one of saidcryptographic keys is the private key {φ₁, . . . ,φ_(k)}, while theother said cryptographic key is the public key π(x₁,x₂, . . . ,x_(n)),wherein said private key {φ₁, . . . , φ_(k)} is a set of tractablerational maps, and said public key is the composition of the tractablerational maps φ_(k) . . . φ₂φ₁(x₁,x₂, . . . ,x_(n)) simplified by therelations x _(i) ^(#(K)) =x _(i) , i=1, . . . , n where #(K) is thenumber of elements in the finite field.
 21. The method as in claim 20,wherein said tractable rational map φ:K^(n)→K^(n) comprises thefollowing formula: $\begin{matrix}{y_{1} = {r_{1}\left( x_{1} \right)}} \\{y_{2} = {{{r_{2}(x)} \cdot \frac{p_{2}\left( x_{1} \right)}{q_{2}\left( x_{1} \right)}} + \frac{f_{2}\left( x_{1} \right)}{g_{2}\left( x_{1} \right)}}} \\\vdots \\{y_{j} = {{{r_{j}\left( x_{j} \right)} \cdot \frac{p_{j}\left( {x_{1},x_{2},\cdots \quad,x_{j - 1}} \right)}{q_{j}\left( {x_{1},x_{2},\cdots \quad,x_{j - 1}} \right)}} + \frac{f_{j}\left( {x_{1},x_{2},\cdots \quad,x_{j - 1}} \right)}{g_{j}\left( {x_{1},x_{2},\cdots \quad,x_{j - 1}} \right)}}} \\\vdots \\{y_{n} = {{{r_{n}\left( x_{n} \right)} \cdot \frac{p_{n}\left( {x_{1},x_{2},\cdots \quad,x_{n - 1}} \right)}{q_{n}\left( {x_{1},x_{2},\cdots \quad,x_{n - 1}} \right)}} + \frac{f_{n}\left( {x_{1},x_{2},\cdots \quad,x_{n - 1}} \right)}{g_{n}\left( {x_{1},x_{2},\cdots \quad,x_{n - 1}} \right)}}}\end{matrix}$

wherein K is a finite field, p₂,p₃, . . . ,p_(n), q₂,q₃, . . . ,q_(n),f₂,f₃, . . . ,f_(n), g₂,g₃, . . . ,g_(n) are all polynomials, r₁, . . .,r_(n) are permutation polynomials, and variables x₁,x₂, . . . ,x_(n)may appear in any order or be any variation of their affinetransformation.
 22. A testify method for verifying the authenticity of aproduct, comprising the following steps: using a private key based ontractable rational map algorithm to transform an identificationinformation of a product into an encrypted information; using a publickey based on tractable rational map algorithm to decrypt said encryptedinformation into said identification information of said product toverify the authenticity of said product; wherein said encryption anddecryption algorithms are based on tractable rational map algorithm. 23.The method as in claim 22, wherein said tractable rational map algorithmuses two cryptographic keys, one of said cryptographic keys is theprivate key {φ₁, . . . ,φ_(k)}, while the other said cryptographic keyis the public key π(x₁,x₂, . . . ,x_(n)), wherein said private key {φ₁,. . . ,φ_(k)} is a set of tractable rational maps, and said public keyis the composition of the tractable rational maps φ_(k) . . .φ₂φ₁(x₁,x₂, . . . ,x_(n)) simplified by the relations x _(i) ^(#(K)) =x_(i) , i=1, . . . , n where #(K) is the number of elements in the finitefield.
 24. The method as in claim 23,wherein said tractable rational mapφ:K^(n)→K^(n) comprises the following formula: $\begin{matrix}{y_{1} = {r_{1}\left( x_{1} \right)}} \\{y_{2} = {{{r_{2}(x)} \cdot \frac{p_{2}\left( x_{1} \right)}{q_{2}\left( x_{1} \right)}} + \frac{f_{2}\left( x_{1} \right)}{g_{2}\left( x_{1} \right)}}} \\\vdots \\{y_{j} = {{{r_{j}\left( x_{j} \right)} \cdot \frac{p_{j}\left( {x_{1},x_{2},\cdots \quad,x_{j - 1}} \right)}{q_{j}\left( {x_{1},x_{2},\cdots \quad,x_{j - 1}} \right)}} + \frac{f_{j}\left( {x_{1},x_{2},\cdots \quad,x_{j - 1}} \right)}{g_{j}\left( {x_{1},x_{2},\cdots \quad,x_{j - 1}} \right)}}} \\\vdots \\{y_{n} = {{{r_{n}\left( x_{n} \right)} \cdot \frac{p_{n}\left( {x_{1},x_{2},\cdots \quad,x_{n - 1}} \right)}{q_{n}\left( {x_{1},x_{2},\cdots \quad,x_{n - 1}} \right)}} + \frac{f_{n}\left( {x_{1},x_{2},\cdots \quad,x_{n - 1}} \right)}{g_{n}\left( {x_{1},x_{2},\cdots \quad,x_{n - 1}} \right)}}}\end{matrix}$

wherein K is a finite field, p₂,p₃, . . . ,p_(n), q₂,q₃, . . . ,q_(n),f₂,f₃, . . . ,f_(n), g₂,g₃, . . . ,g_(n) are all polynomials, r₁, . . .,r_(n) are permutation polynomials, and variables x₁,x₂, . . . ,x_(n)may appear in any order or be any variation of their affinetransformation.
 25. A method for preventing alteration of information ona storage device, comprises the following steps: using a private keybased on tractable rational map algorithm to store an encrypted versionof the information into an information storage device; using a publickey based on tractable rational map algorithm to decrypt the encryptedversion into said information on a storage device; wherein saidencryption and decryption algorithms are based on tractable rational mapalgorithm.
 26. The method as in claim 25, wherein said tractablerational map algorithm uses two cryptographic keys, one of saidcryptographic keys is the private key {φ₁, . . . ,φ_(k)}, while theother said cryptographic key is the public key π(x₁,X₂, . . . ,x_(n)),wherein said private key {φ₁, . . . ,φ_(k)} is a set of tractablerational maps, and said public key is the composition of the tractablerational maps φ_(k) . . . φ₂φ₁(x₁,x₂, . . . ,x_(n)) simplified by therelations x _(i) ^(#(K)) =x _(i) , i=1, . . . , n where #(K) is thenumber of elements in the finite field.
 27. The method as in claim 26,wherein said tractable rational map φ: K^(n)→K^(n) comprises thefollowing formula: $\begin{matrix}{y_{1} = {r_{1}\left( x_{1} \right)}} \\{y_{2} = {{{r_{2}(x)} \cdot \frac{p_{2}\left( x_{1} \right)}{q_{2}\left( x_{1} \right)}} + \frac{f_{2}\left( x_{1} \right)}{g_{2}\left( x_{1} \right)}}} \\\vdots \\{y_{j} = {{{r_{j}\left( x_{j} \right)} \cdot \frac{p_{j}\left( {x_{1},x_{2},\cdots \quad,x_{j - 1}} \right)}{q_{j}\left( {x_{1},x_{2},\cdots \quad,x_{j - 1}} \right)}} + \frac{f_{j}\left( {x_{1},x_{2},\cdots \quad,x_{j - 1}} \right)}{g_{j}\left( {x_{1},x_{2},\cdots \quad,x_{j - 1}} \right)}}} \\\vdots \\{y_{n} = {{{r_{n}\left( x_{n} \right)} \cdot \frac{p_{n}\left( {x_{1},x_{2},\cdots \quad,x_{n - 1}} \right)}{q_{n}\left( {x_{1},x_{2},\cdots \quad,x_{n - 1}} \right)}} + \frac{f_{n}\left( {x_{1},x_{2},\cdots \quad,x_{n - 1}} \right)}{g_{n}\left( {x_{1},x_{2},\cdots \quad,x_{n - 1}} \right)}}}\end{matrix}$

wherein K is a finite field, p₂,p₃, . . . ,p_(n), q₂,q₃, . . . ,q_(n),f₂,f₃, . . . ,f_(n), g₂,g₃, . . . ,g_(n) are all polynomials, r₁, . . .,r_(n) are permutation polynomials, and variables x₁,x₂, . . . ,x_(n)may appear in any order or be any variation of their affinetransformation.
 28. A method for verifying the identification of thesender of a message, comprises the following steps: input the massage toa hash function that produces a secure hash code; using a private keybased on tractable rational map to transform said hash code into anencrypted version; using a public key based on tractable rational map todecrypt said encrypted version to verify the identification of saidsender of said message; wherein said encryption and decryptionalgorithms are based on tractable rational map algorithm.
 29. The methodas in claim 28, wherein said tractable rational map algorithm uses twocryptographic keys, one of said cryptographic keys is the private key{φ₁, . . . ,φ_(k)}, while the other said cryptographic key is the publickey π(x₁,x₂, . . . ,x_(n)), wherein said private key {φ₁, . . . ,φ_(k)}is a set of tractable rational maps, and said public key is thecomposition of the tractable rational maps φ_(k) . . . φ₂φ₁(x₁,x₂, . . .,x_(n)) simplified by the relations x _(i) ^(#(K)) =x _(i) , i=1, . . ., n where #(K) is the number of elements in the finite field.
 30. Themethod as in claim 29, wherein said tractable rational map φ:K^(n)→K^(n)comprises the following formula: $\begin{matrix}{y_{1} = {r_{1}\left( x_{1} \right)}} \\{y_{2} = {{{r_{2}(x)} \cdot \frac{p_{2}\left( x_{1} \right)}{q_{2}\left( x_{1} \right)}} + \frac{f_{2}\left( x_{1} \right)}{g_{2}\left( x_{1} \right)}}} \\\vdots \\{y_{j} = {{{r_{j}\left( x_{j} \right)} \cdot \frac{p_{j}\left( {x_{1},x_{2},\cdots \quad,x_{j - 1}} \right)}{q_{j}\left( {x_{1},x_{2},\cdots \quad,x_{j - 1}} \right)}} + \frac{f_{j}\left( {x_{1},x_{2},\cdots \quad,x_{j - 1}} \right)}{g_{j}\left( {x_{1},x_{2},\cdots \quad,x_{j - 1}} \right)}}} \\\vdots \\{y_{n} = {{{r_{n}\left( x_{n} \right)} \cdot \frac{p_{n}\left( {x_{1},x_{2},\cdots \quad,x_{n - 1}} \right)}{q_{n}\left( {x_{1},x_{2},\cdots \quad,x_{n - 1}} \right)}} + \frac{f_{n}\left( {x_{1},x_{2},\cdots \quad,x_{n - 1}} \right)}{g_{n}\left( {x_{1},x_{2},\cdots \quad,x_{n - 1}} \right)}}}\end{matrix}$

wherein K is a finite field, p₂,p₃, . . . ,p_(n), q₂,q₃, . . . ,q_(n),f₂,f₃, . . . ,f_(n), g₂,g₃, . . . ,g_(n) are all polynomials, r₁, . . .,r_(n) are permutation polynomials, and variables x,x₂, . . . ,x_(n),may appear in any order or be any variation of their affinetransformation.
 31. A method for producing an ordinary key from a masterkey in public-key cryptosystem, comprises the following steps: usingtractable rational map algorithm to generate a master key, wherein saidmaster key comprises a private key and a public key; replacing a portionof the encrypted polynomial of said master key with zero to generate anordinary key, wherein said ordinary key comprises a private key and apublic key; using said master key and said ordinary key to performencryption and decryption; wherein said encryption and decryption arebased on tractable rational map algorithm.
 32. The method as in claim31, wherein said tractable rational map algorithm uses two cryptographickeys, one of said cryptographic keys is the private key {φ₁, . . .,φ_(k)}, while the other said cryptographic key is the public keyπ(x₁,x₂, . . . ,x_(n)), wherein said private key {φ₁, . . . ,φ_(k)} is aset of tractable rational maps, and said public key is the compositionof the tractable rational maps φ_(k) . . . φ₂φ₁(x₁,x₂, . . . ,x_(n))simplified by the relations x _(i) ^(#(K)) =x _(i) , i=1, . . . , nwhere #(K) is the number of elements in the finite field.
 33. The methodas in claim 32, wherein said tractable rational map φ:K^(n)→K^(n)comprises the following formula: $\begin{matrix}{y_{1} = {r_{1}\left( x_{1} \right)}} \\{y_{2} = {{{r_{2}(x)} \cdot \frac{p_{2}\left( x_{1} \right)}{q_{2}\left( x_{1} \right)}} + \frac{f_{2}\left( x_{1} \right)}{g_{2}\left( x_{1} \right)}}} \\\vdots \\{y_{j} = {{{r_{j}\left( x_{j} \right)} \cdot \frac{p_{j}\left( {x_{1},x_{2},\cdots \quad,x_{j - 1}} \right)}{q_{j}\left( {x_{1},x_{2},\cdots \quad,x_{j - 1}} \right)}} + \frac{f_{j}\left( {x_{1},x_{2},\cdots \quad,x_{j - 1}} \right)}{g_{j}\left( {x_{1},x_{2},\cdots \quad,x_{j - 1}} \right)}}} \\\vdots \\{y_{n} = {{{r_{n}\left( x_{n} \right)} \cdot \frac{p_{n}\left( {x_{1},x_{2},\cdots \quad,x_{n - 1}} \right)}{q_{n}\left( {x_{1},x_{2},\cdots \quad,x_{n - 1}} \right)}} + \frac{f_{n}\left( {x_{1},x_{2},\cdots \quad,x_{n - 1}} \right)}{g_{n}\left( {x_{1},x_{2},\cdots \quad,x_{n - 1}} \right)}}}\end{matrix}$

wherein K is a finite field, p₂,p₃, . . . ,p_(n), q₂,q₃, . . . ,q_(n),f₂,f₃, . . . ,f_(n), g₂,g₃, . . . ,g_(n) are all polynomials, r₁, . . .,r_(n) are permutation polynomials, and variables x₁,x₂, . . . ,x_(n)may appear in any order or be any variation of their affinetransformation.